Threat indicator data needs a wide net, experts say

Seeing and sharing the telltale tracks of cyber attackers across networks isn't just technical -- it depends on a wide array of allies that talk among themselves, according to government and industry cyber experts.

The majority of cyber attackers mostly still rely on unpatched software and phishing to get into networks, said Rick Driggers, deputy assistant secretary for cybersecurity and communications at the Department of Homeland Security's National Protection and Programs Directorate. That's because those methods still work most of the time, he said.

Driggers and other cyber experts said industry and government have to continue to push to change that cybersecurity equation at a May 31 CyberScoop conference.

Although Driggers said his agency has shared almost two million threat indicators at machine speed with commercial partners since 2016, he said DHS is also looking to connect on a more personal scale with industry to encourage data sharing.

"It's about partnerships and information sharing. We work every day to build our partnerships through formal large robust government partnerships … so we can open up information sharing channels," he said. "But we also want to do this informally. We want our analysts to have working relationships and be able to collaborate with private sector analysts," in sharing threat data.

DHS, he said, has been listening to industry concerning its automated threat indicator data and honing it to make it more relevant and effective. "We're making changes," he said.

In an interview with FCW, Driggers said the agency is working to make the indicators "more definitive" with more context about how each was developed.  Those changes are direct results of feedback from industry, he said.

Ron Ross, National Institute of Standards and Technology fellow, along with other cybersecurity experts at the event said larger context is vital to blunting growing cyber threats from nation-states and criminals. A wide network of allies across the federal government and private industry, they said, can eventually make successful attacks more costly for cyber attackers, without defenders having to spend more time and money.

The experts advised federal agencies to look not only to commercial and U.S. federal partners, but also to like-minded organizations.

House of Representatives Chief Information Security Officer Randy Vickers said his employer has been working with information security organizations in other countries. The House has been sharing cyber threat data with information security offices in the parliaments in the other Five Eyes nations -- Australia, Canada, New Zealand and the United Kingdom.